Security Predictions for 2010

Websense has made ten predictions about security/vulnerability trends for 2010. There’s no crystal ball, so we’re not talking about malicious innovation, but mostly a recognition that certain nefarious activities are gaining traction and will expand in the near future. Of particular interest to OSNews readers: exploitations of Windows 7 and IE 8 vulnerabilities, the beginning of the end of the Mac’s reprieve on security issues, and increasing targeting of mobile devices (beyond Rickrolling your iPhone, presumably). Read on to learn OSNews 2010 security predictions.It’s touched upon briefly in this article, but I think one of the most serious “security” issues for 2010 won’t be the exploitation of a technological security flaw per se, but rather an abuse of the social contract. The past few years have seen an explosion of social networking and crowdsourcing, which has enriched our online lives tremendously. But anytime something becomes important to people, there’s never a shortage of scumbags who will try to make a buck by stealing, hijacking or kidnapping it. In this case, it’s the trust in the content of the Web 2.0 services that’s going to be under attack.

You already can’t trust that your Twitter followers are human beings, or that the people you’re cruising on Craigslist are, for that matter. In most of these cases, the worst consequence will be seeing unwanted ads for shady products or services, though there’s always the chance you could be roped into a more elaborate con. And there’s always been the chance that when you’re reading reviews of a Bed and Breakfast that a bunch of them were written by the proprietor and his family using fake names. But increasingly the fraud is becoming mass produced and fully or partially automated. Just as in the late 90s email was at the tipping point of being unacceptably full of spam for many people, social networks and crowdsource-type online resources are in danger of being choked with so much illegitimate content that they can’t be trusted. CAPTCHAs will only get us so far. I fear that by the end of 2010, you won’t be able to trust most online reviews for anything.

I’m actually somewhat optimistic about the traction that classic social engineering-based scams such as phishing are going to have moving forward. Of course, the sophistication of modern spam filters keep most of these come-ons from even reaching peoples’ inboxes, and every year that goes by, the average internet user is a little more sophisticated about recognizing the signs. Though there will probably be small incremental improvements in the tools that scammers use to make a phishing scheme look legit, I don’t think there will be a lot of growth, and in the mean time, users are only becoming less likely to fall for them.

Similarly, I think that the ability for OS and software makers to harden their systems will outpace crackers’ ability to come up with new exploits. It will take a decade or more for the existing botnets and vulnerable systems to cycle through, and no system will ever be completely immune to a concentrated attack, but the kind of wholesale, slash-and-burn exploitation will become less widespread over time. The 2000s will prove to have been the salad days for bot herders and other mass-market malicious hackers. I actually don’t agree with the article that Macs or mobile devices will see any substantial exploits in 2010. (And no, jailbroken iPhones with default passwords don’t count). Likewise, though Windows will continue to be the main target for crackers and criminals of all stripes, their job will get incrementally harder over the coming years.

The perversion of the legitimate market as a launchpad for scams, mentioned in the context of scammers buying ads rather than hijacking them is one of the oldest tricks in the book. Scammers have been buying ads in newspapers, magazines, and TV as long as those media have existed, and have used telephones and the mail to perpetrate their fraud. Ad space is particularly inexpensive right now, so the economics are temporarily favorable. Though I don’t know of any out-and-out frauds to date, shady people occasionally get their ads though onto OSNews, and it’s usually the vigilance of the readers who bring it to our attention and get us to stamp it out. Of course, Craigslist is a minefield of criminals and mischief-makers posting what look like legitimate ads intended to trick or defraud people. There are very few technical countermeasures to these kids of fraud. Only educating people to be aware and vigilant will have much effect. And although nobody ever went broke betting on people’s stupidity, the average person’s susceptibility to being tricked by yesterday’s con always decreases over time, just trough familiarity. Remember that in the early days of cinema, audiences were scared that the train depicted on the screen was going to hit them. 100 years later, you’d be hard pressed to find anyone, no matter where you went in the world, who would be fooled by a movie screen. People aren’t smarter, just more familiar.

So my security predictions for 2010 are a combination of optimism and pessimism. Let’s hear yours in the comments.

14 Comments

  1. 2009-12-04 5:05 pm
  2. 2009-12-04 5:42 pm
    • 2009-12-07 4:12 pm
  3. 2009-12-04 5:42 pm
  4. 2009-12-04 10:34 pm
    • 2009-12-06 10:42 pm
      • 2009-12-07 6:16 pm
  5. 2009-12-04 11:18 pm
  6. 2009-12-05 2:40 pm
  7. 2009-12-05 10:43 pm
    • 2009-12-07 4:49 pm
  8. 2009-12-05 11:52 pm
    • 2009-12-06 5:50 pm
    • 2009-12-07 5:08 pm